REMARKS 

Claims 1, 12, 13, 15, 18-21, 23, 24, 26, 29-32, 34, and 35 have been amended. Claims 1 and 
12-35 remain pending. 

The Examiner has rejected claims 1, 12, 16-18, 21, 23, 27, 28, 29 and 32 under 35 U.S.C. 
§ 103(a) as being unpatentable over Besser (US Patent 6,212,563) in view of Ekstrom et al. (U.S. 
patent 5,968,126). Claims 13, 15, 20, 24, 26, and 31 are rejected under 35 U.S.C. §103(a) as being 
unpatentable over Besser and Ekstrom in further view of Lim et al. (U.S. patent 5,884,024). Claims 
14, 19, 25, and 30 are rejected under 35 U.S.C. § 103(a) as being unpatentable over Besser and 
Ekstrom in further view of Woundy (U.S. patent 6,031,841). Claims 22 and 33 are rejected under 
35 U.S.C. § 103(a) as being unpatentable over Besser and Ekstrom in further view of Rekhter et al. 
(U.S. patent 6,339,595). The Examiner's rejections are respectfully traversed as follows. 

Claim 1 is directed towards an "apparatus for routing packets from a first network node to a 
second network node in a data network." Claim 1 recites "means for assigning and then sending a 
unique first node identifier (ID) to the first node, wherein the unique first node ID is assigned and 
sent in response to a request from the first node for an identity assignment, and wherein a first 
virtual private network (VPN) is provisioned by the apparatus for the unique first node ID and an 
association between the first VPN and the unique first node ID is maintained by the apparatus." 
Claim 1 further recites "means for receiving a packet from the first node, said packet including the 
unique first node ID and routing information for routing said packet to a destination address 
associated with said second node" and "means for routing the received packet to the destination 
address based on the received routing information, the received unique first node ID and its 
association with the first VPN, and the destination address being associated with the first VPN." 
Claims 12 and 23 recite techniques or apparatus for performing similar operations. 

Since apparatus and techniques of the present invention are operable to provision a VPN for 
a requested unique node ID and provide an association with such VPN to such unique ID at the 
intermediary apparatus, embodiments of the present invention provide intelligence in the network, 
rather than the individual endnodes. Since VPN provisioning is provided in the network, each 
individual endnode does not have to be configured with a particular VPN. Additionally, since VPN 
packets can be routed by the network apparatus based on the maintained VPN association with the 
unique ID, VPN packets can be routed between endnodes without going through a VPN gateway or 
use of a VPN ID in the packet. For instance, the following Fig. 3B illustrates an example 
implementation of this routing feature: 
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Fig. 3B 
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In the example of FIGURE 3B, cable modem 308 (CM4) attempts to send a packet to cable modem 
310 (CM5). Both the CM4 and CM5 modems (or the respective devices behind these modems-not 
shown) are members of the same VPN, namely VPN2. Conventionally, in order for CM4 to send a 
packet to CM5, the packet must first be routed out of the access network, through CE device 362, 
and then back to CMTS 324 where it is eventually forwarded to CM5. However, using the 
technique of the present invention, packets from CM4 may be routed to CM5 via CMTS 324 in a 
manner that does not require the packets to be routed through the VPN2 CE device 362 or even 
outside the cable operator's network. More specifically, CM4 sends a packet to the CMTS via 
upstream channel 308a. The CMTS identifies the SID (or other unique ID) associated with CM4, 
and using an association between this SID and a VPN determines that CM4 is associated with the 
VPN2 network. The CMTS then examines routing information to determine the destination IP 
address of the packet. Consulting a VRF Table associated with the VPN2 network (not shown), the 
CMTS determines that next hop (and final destination) specified for the packet's destination IP 
address is the CMTS. 
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The Examiner admits that the primary reference Besser fails to disclose "each of the one or 
more unique first node ID's is associated with a first virtual private network (VPN)" or the routing 
limitations. The secondary reference Ekstrom is cited as disclosing these features. In general, 
Ekstrom is directed towards techniques for allowing different users of a station to be assigned to 
different VLAN's. See Abstract. However, Ekstrom does not appear to disclose apparatus or 
techniques in which "a first virtual private network (VPN) is provisioned for the unique first node 
ID [that is requested by the first node) and an association between the first VPN and the unique first 
node ID is maintained by the apparatus" [which is configured to handle the request for such unique 
first node ID and route VPN packets], in the manner claimed. Specifically, Ekstrom discloses a 
UBVMS server 144 that causes a client station to be switched to a specific VLAN based on the 
current user logging into such station. See Col. 5, Lines 59-65. This UBVMS server sends a 
response to the client station indicating a VLAN switch (during login). See Col. 5, Lines 49-59. 
The station then releases its current IP lease and repeatedly requests a new IP address (from DHCP 
server) until the obtained IP address matches the VLAN assigned for the client station. See Col. 6, 
Lines 61-63 and Col. 7, Line 25-52. Although one can argue that Ekstrom maintains an association 
between users and VLANs (at the UBVMS server), such association of a VLAN is not provisioned 
and maintained for an ID that was requested by and sent to the client station, in the manner claimed. 

Additionally, Ekstrom discloses that messages are routed among VLANs through a router 
based on VLAN ID tags, rather than being based on the packet's received routing information, 
received unique first node ID and its association with the first VPN, and the destination address 
being associated with the first VPN, in the manner claimed. Specifically, Ekstrom discloses that 
"router 140 can communicate with many VLANs, possibly all VLANs defined for switch fabric 
130" and "[r]outer 140 may choose to allow different VLANs to communicate." See Col. 3, Lines 
58-65. Although Ekstrom does describe packets on the specific VLAN ports (e.g., 136) as not 
including a VLAN ID (see Col. 56-57), Ekstrom goes on to explain that the switch fabric 130 "will 
append to the request the VLAN ID tag (Table 1) of the VLAN containing the port 136 on which the 
request was received by the switch fabric" and then Ekstrom describes immediate handling of the 
packet and its VLAN ID by the router 140. See Col. 9, Lines 13-29. Accordingly, the routing of 
Ekstrom appears to merely be based on the VLAN ID, rather than being based on a received unique 
first node ID and its association with the first VPN , in the manner claimed. 
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In light of the foregoing, it is respectfully submitted that claims 1, 12, and 23 are patentable 
over the cited art of record. The Examiner's rejections of the dependent claims are also respectfully 
traversed. However, to expedite prosecution, all of these claims will not be argued separately. 
Claims 13-22 and 24-35 each depend directly or indirectly from independent claims 12 or 23 and, 
therefore, are respectfully submitted to be patentable over cited art for at least the reasons set forth 
above with respect to claims 12 or 23. Further, the dependent claims require additional elements 
that when considered in context of the claimed inventions further patentably distinguish the 
invention from the cited art. 

Applicant believes that all pending claims are allowable and respectfully requests a Notice of 
Allowance for this application from the Examiner. If the Examiner believes that a telephone 
conference would expedite the prosecution of this application, the undersigned can be reached at the 
telephone number listed at the bottom of this page. 

Applicants hereby petition for any extension of time that may be required to maintain the 
pendency of this case, and any required fee for such extension or any further fee required in 
connection with the filing of this amendment is to be charged to Deposit Account No. 504480 
(Order No. CISCP134C1). 

Respectfully submitted, 

Weaver Austin Villeneuve & Sampson LLP 

/Mary R. Olynick/ 
Mary R. Olynick 
Reg. 42,963 

P.O. Box 70250 
Oakland, CA 94612-0250 
(510) 663-1100 
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